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Abstract. We introduce the swap-or-not shuffle and show that the technique gives rise to a new 
method to convert a pseudorandom function (PRF) into a pseudorandom permutation (PRP) (or, 
alternatively, to directly build a confusion/diffusion blockcipher) . We then prove that swap-or-not 
has excellent quantitative security bounds, giving a Luby-Rackoff type result that ensures security 
(assuming an ideal round function) to a number of adversarial queries that is nearly the size of the 
construction's domain. Swap-or-not provides a direct solution for building a small-domain cipher and 
achieving format-preserving encryption, yielding the best bounds known for a practical scheme for 
enciphering credit-card numbers. The analysis of swap-or-not is based on the theory of mixing times of 
Markov chains. 

Keywords: Blockciphers, Feistel network, Luby-Rackoff, Markov chain, PRF-to-PRP conversion, pseu- 
dorandom permutations, swap-or-not. 
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Overview. Despite the diversity of proposed blockciphers, only two approaches underlie the 
construction of real-world designs: essentially everything looks like some sort of Feistel network (e.g., 
DES, FEAL, MARS, RC6) or SP-network (e.g., Rijndael, Safer, Serpent, Square). Analogously, in 
the literature on constructing pseudorandom permutations (PRPs) from pseudorandom functions 
(PRFs), we have provable-security analyses for Feistel variants (e.g., [12-14,18,21]), as well as 
modes of operation (e.g., [10, 11, 18, 19]) that can again be construed as SP-networks, now on 
a large domain. Perhaps there just are not that many fundamentally different ways to make a 
blockcipher. Or perhaps we might have failed to notice other possibilities. 

In this short paper we describe a very different way to make a blockcipher. We call it a 
swap-or-not network (or cipher or shuffle). Besides introducing the construction, we evidence its 
cryptographic utility. We do this by showing that swap-or-not provides the quantitatively best 
mechanism known, in terms of concrete security bounds, to convert a PRF into a PRP. We also 
show that swap-or-not provides a practical solution for the problem of format-preserving encryption 
(FPE) on domains of troublesome size, such as enciphering credit-card numbers. 



proc Ekf(X) //swap-or-not 

for i <— 1 to r do 

X' <- Ki X, X <- max(AT, X') 

ifFi{X) = 1 then X <- X' 
return X 

Fig. 1. Cipher E = SN[r,ra] encrypts Ie{0, 1}" using a 
key KF naming K lt . . . , K r € {0, l} n and round functions 
Fi, . . . ,F r : {0,1}™ ->{0,1}. 



Construction. Suppose we aim to encipher 
n-bit strings; our message space is the set 
X = {0, l} n . Assume we will use r rounds, 
and that the blockcipher's key KF names 
subkeys Ki, . . . , K r £ {0, l} n as well as round 
functions F\ , . . . , F r , each of which maps Di- 
bits to a single bit, so Fi : {0, l} n ->■ {0, 1}. 
Then we encipher X G {0, l} n as shown in 
Fig. 1. The reason that this works, that one 
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gets a permutation, is simply that X i-> Ki © X is an involution, and our round function depends 
on the set {X,Ki © X}. The inverse direction for swap-or-not is identical to the forward direction 
shown above except for having i run from r down to 1. 

Restating the algorithm in English, at each round i we pair the current value of X G {0, 1}™ with 
a "partner" point X' = Ki®X. We either replace X by its partner or leave it alone. Which of these 
two things we do is determined by applying the boolean- valued Fi to the two-element set {X, X'}. 
Actually, in order to give Fi a more conventional domain, we select a canonical representative from 
{X, X'}, say X = max(X, X'), and apply Fj to it. Note that each plaintext maps to a ciphertext 
by xoring into it some subset of the subkeys {Ki, . . . , K r }. This might sound linear, but it most 
definitely is not. 

Card shuffling view. The swap-or-not construction was invented, and will be analyzed, by 
regarding it as a way to shuffle a deck of cards. Seeing a blockcipher as a card shuffle enables 
one to exploit a large body of mathematical techniques, these dating back to the first half of the 
twentieth century. In addition, some ways to shuffle cards give rise to enciphering schemes that 
cryptographers did not consider. Swap-or-not is such a case. 

One can always see a card shuffle as an enciphering scheme, and vice versa. If you have some 
method to shuffle N cards, this determines a corresponding way to encipher N points: place a card 
at each position X € [N], where [N] = {0, 1, . . . , N— 1}; shuffle the deck; then look to see the 
position where the card initially at position X ended up. Call that position the ciphertext Y for X. 
The randomness used in the shuffle corresponds the cipher's key. 

The first thing needed for a card shuffle to give rise to a computationally feasible blockcipher is 
that the shuffle be oblivious, an idea suggested by Moni Naor [18, p. 62], [23, p. 17]. In an oblivious 
shuffle one can trace the trajectory of a card without attending to lots of other cards in the deck. 
Most conventional shuffles, such as the riffle shuffle, are not oblivious. The Thorp shuffle [26] is 
oblivious — and so is swap-or-not. As a shuffle, here's how it looks. 

Recasting swap-or-not as a way to shuffle 
cards, suppose we have N cards, one at each 
position X G [N], where N = 2™. To shuffle the 
deck, choose a random KG {0, l} n and then, for 
each pair of card positions X and K © X, flip a 
fair coin. If it lands heads, swap the cards at 
the indicated positions; if it lands tails, leave 
them alone. See Fig. 2. The process can be re- 
peated any number r times, using independent 
coins (both the K-values and the 6-values) for 
each shuffle. 

When the swap-or-not shuffle of Fig. 2 is translated back into the language of encryption, one 
recovers the swap-or-not cipher of Fig. 1; these are different views of precisely the same process. 
The random pairing- up of cards specified by K for the ith shuffle corresponds to the subkey Ki. 
The random bit b flipped at the shuffle's round i for the pair {X,K © X} corresponds Fi(X). 



K i — {0, l} n ^swap-or-not as a shuffle 

for each pair of positions {X, K © X} 
b£{0,l} 

if b = 1 then swap the cards 
at positions X and K © X 

Fig. 2. Mixing a deck of N = 2 n cards, each at a 
position X 6 {0, l} n . The code shows one shuffle. For 
better mixing, the shuffle is repeated r times. 
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Generalizing. It is useful to be a bit more 
general here, working in a finite abelian group 
G = ([N],+) instead of the group ({0, l} n ,ffi) 
of bit strings under xor. (For convenience, we 
have assumed that the group elements are 
named [N] = {0, . . . , N — 1}.) In this way 
we won't need the number of points N in 
the message space X = [N] to be a power 
of two — we'll be able to encipher points on 
any set X = [N], just by naming a group op- 
erator, say addition modulo N. For generalizing the shuffle of Fig. 2, the value K is uniformly drawn 
from [N] rather than from {0, l} n , and we consider the pair of positions {X, K — X} rather than 
{X, K(BX}. For the generalized cipher — see Fig. 3 — the key KF will name subkeys K\, . . . , K r £ [N] 
and round functions F 1 ,... ,F r : [N] ->• {0, 1}. We set X' <- Ki - X rather than X' <- Ki © X. 
The inverse remains what one gets by iterating from r down to 1. 

Results. As with Luby and Rackoff's seminal paper [14], we can analyze the swap-or-not construc- 
tion by regarding its constituent parts as uniformly random. Formally, let us write SN[r, N, +] : K, x 
[N] — > [N] for the blockcipher E specified in Fig. 3 that is swap-or-not with r rounds, a message 
space of [N], the indicated group operator, and where the key space names all possible subkeys 
K±, . . . , K r 6 [N] and all possible round functions F\, . . . ,F r : [N] {0, 1}. Thus a random key KF 
for this cipher has the Ki and Fi values uniformly chosen. We define the CCA (also called the 
"strong-PRP" ) advantage of an adversary A attacking E by dropping it into one of two worlds. In 
the first, the adversary gets an oracle for Ekf(-), for a random KF, and also an oracle for its inverse, 
Eftp(-). Alternatively, the adversary is given a uniformly random permutation tt: [N] — > [N], along 
with its inverse, vr~ 1 (-). Define 

Adv SN[r,iV,+](9) = max {Pr[A EKF ^> E K F (-) 1] _ p r [4*(0. w^O 1]J , 

the maximum over all adversaries that ask at most q total queries. Our main result is that 

4AT3/2 / + N y/*+i 
Adv^,-^) < 7^4 (^rj • (D 

Roughly said, you need r = 6lgN rounds of swap-or-not to start to see a good bound on CCA- 
security. After that, the adversary's advantage drops off inverse exponentially in r. The summary 
explanation of formula (1) just given assumes that the number of adversarial queries is capped at 
q = (1 — e)N for some fixed e > 0. 

The quantitative guarantee above is far stronger than anything a balanced Feistel network can 
deliver. The only remotely comparable bound we know, retaining security to N 1 ^ 6 queries instead 
of (1 — e)iV queries, is the Thorp shuffle [26] (or, equivalently, a maximally-unbalanced Feistel 
network [17]). But the known result, establishing Adv^f(g) < (2q/r + l)(Anq/N) r if one shuffles 
N = 2 n points for r(4n — 2) rounds [17], vanishes by the time that q > 4l ^ N - Numerically, the 
Thorp-shuffie bounds come out much weaker for most r, q, and N. See Fig. 4 for sample graphs 
comparing known bounds on balanced Feistel, the Thorp shuffle, and swap-or-not. 

As a simple numerical example, swap-or-not enciphering 64-bit strings for 1200 rounds using a 
random round function will yield a maximal CCA advantage of less than 10 -10 , even if the adversary 



proc E KF (X) 


//Generalized domain 


for i 1 to r 


do 


X'^Ki- 


X, X ^— max(A, X') 


iiFi(X) = 


1 then X <- X' 


return X 




Fig. 3. Cipher 


E = SN[r,AT,+] encrypts X e [TV] using 


a key KF naming K\ , . . . , K r € [N] and round functions 


F u ...,F r : [N] - 


+ {0,1}. 
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Fig. 4. Illustration of results. The message space has TV = 2 64 points. The graphs show established upper bounds 
on CCA advantage when the adversary asks q queries, where log 2 (q) labels the x-axis. Rightmost two graphs: the 
new results — the swap-or-not cipher for either eight passes (512 rounds) (SN-8) or 10 (SN-10), as given by Theorem 4. 
(One pass is defined as [lgJV] rounds.) For comparison, the leftmost two graphs are for balanced Feistel, both the 
classical 4-round result of Luby and Rackoff [14, 20] (LR-4) and then a six-round result of Patarin (LR-6) [22, Th. 7]. 
The middle two graphs are for the Thorp shuffle, either with eight passes (TH-8) or 20 (TH-20), as given by [17, 



can ask q = 2 queries. While the number of rounds is obviously large, no other construction can 
deliver a comparable guarantee, achieving security even when q is close to N. 
For a more complexity-theoretic discussion of swap-or-not, see Section 4. 

Format-preserving encryption. Swap-or-not was originally invented as a solution for format- 
preserving encryption (FPE) [1, 3, 5], where it provides the best known solution, in terms of proven- 
security bounds, when ./V is too big to spend linear time computing, yet too small for conventional 
constructions to deliver desirable bounds. This landscape has not much changed with the recent 
work of Stefanov and Shi [24], who, following Granboulan and Pornin [9], show how to speed up 
(e.g., to O(N 05 ) time) det ermining where a card goes in a particular iV-card shuffle after spending 
0(N) time at key-setup. For more discussion of swap-or-not and its use in FPE, see Section 5. 

2 Preliminaries 

Total variation distance. Let fx and v be probability distributions on Q. The total variation 
distance between distributions /i and v is defined as 



Blockciphers. Let E: tC x M — > M be & blockcipher, meaning that K. and M are finite and 
each Ek(-) = E(K,-) is a permutation on A4. We emphasize that JC and M need not consist of 
binary strings of some particular length, as is often assumed to be the case. For any blockcipher E, 
we let E~ l be its inverse blockcipher. 



Th. 5]. 
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For blockcipher E: K, x Ai — >■ M and adversary A the advantage of A in carrying out an 
(adaptive) chosen-ciphertext attack (CCA) on E is 



Here Perm(A'i) is the set of all permutations on M. We say that A carries out an (adaptive) chosen- 
plaintext attack (CPA) if it asks no queries to its second oracle. Adversary A is non-adaptive if it 
asks the same queries on every run. Let Adv^ a (g) be the maximum advantage of any (adaptive) 
CCA adversary against E subject to the adversary asking at most q total oracle queries. Similarly 
define Adv° cpa (g) for nonadaptive CPA attacks (NCPA). 

For blockciphers F, G: ICxAi — > Ai let FoG denote their cascade, with F's output fed into G's 
input; formally, F o G : K 2 x M -> M is defined by (F o G\ KtK i) = G K >(F K (X)). 

Lifting ncpa to CCA security. We bound the CCA-security of a Feistel network from its 
NCPA-security by using the following result of Maurer, Pietrzak, and Renner [15, Corollary 5]. It 
is key to our approach, effectively letting us assume that our adversaries are of the simple, NCPA 
breed. Recall that in writing FoG, the blockciphers are, in effect, independently keyed. 

Lemma 1 (Maurer-Pietrzak- Renner) If F and G are blockciphers on the same message space 



3 Security of Swap-Or-Not 

Fix a finite abelian group G = {[N], +) where [N] = {0, 1, . . . , N — 1}. We define the swap-or-not 
shuffle SN[r, N, +} of r rounds over the elements of G. The shuffling at round t is as follows. Initially, 
each of N distinct cards is at a position in the set [N\. To shuffle during this round, choose Kt <— [N], 
the subkey at round t. Then, for each set {X, Kt — X} with X £ G, choose b {0, 1} and then 
swap the cards at positions X and K t — X if b = 1. 

Let {Wt : t > 0} be the Markov chain representing the swap-or-not shuffle with N cards. More 
formally, let C be a set of cardinality N, whose elements we call cards. The state space of {Wt} is 
the set of bijections from C to {0, . . . , N — 1}. For a card z G C, we interpret Wt(z) as the position 
of card z at time t. 

Let A be a deterministic adversary that makes exactly q queries. Our proof is based on an anal- 
ysis of the mixing rate of the swap-or-not shuffle. However, since A makes only q < N queries, we 
need only bound the rate at which some g-element subset of the cards mixes. So let z±, . . . , z q be dis- 
tinct cards in C, and let X t be the vector of positions of cards z±, . . . , z g at time t. For j in {1, ... , q} 
we write X t (j) for the position of card Zj at time t, and define X t (l, ... ,j) = (X t (l), . . . , X t (j)). We 
shall call Xt the projected swap-or-not shuffle. Note that the stationary distribution of Xt, which 
we denote by ir, is uniform over the set of distinct g-tuples of elements from G. Equivalently, it is 
the distribution of q samples without replacement from G. Let Tt denote the distribution of Xt. 

Theorem 2 (Rapid mixing). Consider the swap-or-not shuffle SN[r, N, +] for r,N > 1, and 

let q £ {1, . . . , N}. Fix z±, . . . , z q and let {X t : t > 0} be the corresponding projected swap-or-not 
shuffle, let tt be its stationary distribution, and let r t be the distribution of X t . Then 



Advf a (A) = Pr[i^^/C: A Ek ^' E k^ 1]-Pr[7r 4- Perm(A4): A<^ v ^ 1]. 



then, for any q, Adv' 



.cca 



(q)<Ad^(q) + Ad^(q). 



FoG- 1 
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Proof. Let be the conditional distribution of Xt given the subkeys K±, . . . , K r . (Here we consider 
K±, . . . , K r random variables, and we condition on the cr-algebra of these random variables.) We 
will actually show that E(||r^ — 7r||) satisfies the claimed inequality. Note that since K\, . . . , K r are 
random variables, so is t*, and hence so is ||r^ — 7r||. This implies the theorem since r r = E(r^) 
and hence 

||r r -7r|| = ||E(r r fc -7r)|| <E(||r r fc -7r||), 

by Jensen's inequality, since for distributions fi and r, the total variation distance — t\\ is half 
the L 1 -norm of /x — r, and the L 1 -norm is convex. For a distribution v on g-tuples of 17, define 

v(ui, . . . , Uj) = Pr[Zi = ui, . . . , Zj = Uj] and 
u(uj I ui, . . . , Uj-i) = P?[Zj = Uj | Z\ = m, . . . , Zj-i = Uj-i] 

where (Zi, . . . , Z q ) ~ v. For example, Tt(m, . . . , Uj) is the probability that, in the swap-or-not 
shuffle, cards zi,...,Zj land in positions ui,...,Uj at time t, while Tt(uj\ u±,...,Uj-i) is the 
probability that at time t card Zj is in position Uj given that cards z\,. . . ,Zj-i are in positions 
ui, . . . , Uj-\. On the other hand, ir(uj \ u±, . . . Uj-i) is the probability that, in a uniform random 
ordering, card Zj is in position Uj given that cards z±, . . . , land in positions ui, . . . , Uj-±. 

Each of the conditional distributions r t fc ( • | ui, . . . , Uj-i) converges to uniform as t — > oo. When 
all of these distributions are "close" to uniform, then will be close to ir. In fact, we only need the 
conditional distributions to be close "on average," as is formalized in the following lemma, which 
is easily established using coupling. For a proof, see [17, Appendix A]. 

Lemma 3 Fix a finite nonempty set fi and let fj, and v be probability distributions supported on 
q-tuples of elements of fi, and suppose that (Z±, . . . , Z q ) ~ fi. Then 

\\li-u\\ < J]e(||/x(-| Z 1 ,...,Z e )-u(-\ Z u ...,Z t )\\) . (2) 

1=0 

Note that in the above lemma, since Z±,...,Z q are random variables (whose joint distribution is 
given by fi), so is ||//( • | Z\, . . . , Zg) — v{ ■ \ Z±, . . . , Zg)\\ for every t < q; each summand in the 
right-hand side of (2) is the expectation of one of these random variables. 

Recall that t% is the conditional distribution of X t given Ki, . . . , K r . Fix t G {0, . . . , q — 1}. 
We wish to bound the expected distance between the distribution r t fc ( -| Xt(l), . . . , Xt{t)) and 
7r( • | X t (l), . . .,X t (£)) (i.e., the uniform distribution on G \ {X t (l), . . .,X t (£)}). 

For t > 0, let St = G \ {X t (l), . . . , X t (£)}. Thus St is the set of positions that card Z£ + i 
could be located in at time t, given the positions of cards z\,...,Z£. For a G St, let pt(a) = 
T t k {a | X t (l), . . . , X t (£)). Then we have 

\\r t k ( ■ | X t (l, ...,£))- tt( ■ | X t (l, . . . ,£))\\ = \ \Pt(a) ~ l/m\, (3) 

a&St 
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where m = | St \ = N — £. Using the Cauchy-Schwarz inequality twice gives 



E 



Yl \pt( a ) - l / m \ 

aeSt 



< E 



<m-E 



<N-B 



^2 \p t {a) - l/m| 

aeSt ) 
aeS t 



aeSt 



m) 



We shall prove, by induction on t, that 

E 



J> t (a)-l/m) 2 

aeSt 



< 



e + N 

2N 



for every t < r. Then, substituting t = r to (3), (4), and (5), we have 
E(||r r fc (-|X r (l,...,^))-7r(.|X r (l,...,^))||) 

\2 



<- iV-E 



^ (Pr(a) - 1/m) 



1/2 



< 



TV /^ + iV\ r/2 



2iV 



Substituting this into Lemma 3 gives 

9-1 

E(||r r fc - vrll) < £ E(||r r fe ( ■ | X r {l, ...,£))- tt( ■ | X r (l, . . . ,*))||) 

fl + N\ r/2 



q-l 

^ 2 

£=0 



2N 



(4) 



(5) 



We now verify equation (5). First, consider the base case t = 0. Since the initial positions of 
the cards are deterministic, 

E[^(po(a) - 1/m) 2 = (1 - 1/m) 2 + (m - 1) • (0 - 1/m) 2 = 1 - 1/m < 1 . 

aeSo 

Now suppose that equation (5) holds for t. We prove that it also holds for t + 1. Define st = 
J2aeS t (Pt( a ) ~ 1/m) 2 . It is sufficient to show that 



Define / : S t -»• St+i b Y 



E(s t+ i | s t 
/(«) = 



^ + iV 
27V 



s t . 



(6) 



a if a € St+i", 

K t+ \ — a otherwise. 
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Note that / is a bijection from St to St+i'. it sends St to St+i because if a G St then either a or 
Kt+i — a must be in St+i, and it has an inverse / _1 : St+i — > St defined by 



rHb) 



b itbeSf, 
Kt+i — b otherwise. 



Furthermore, note that 

Pi+i (/(«)) 



p t (a) if K t+1 - a £ S t ; 

\pt{a) + \p t {K t+ i - a) otherwise. 



Since K t +i is independent of the process up to time t, we have Pr[iiQ + i — a = y \ s t ] = 1/N for 
every y £ G. Hence, since \St\ = m, conditioning on the value of K t +i — a gives 



E 



([ft+i(/W)4 



yeSt 



Pt(a) +pt(y) 



rn 



The sum can be rewritten as 

Y^\[(pt{y)-l/m) + (pt{a)-l/m)\ 2 

y&St 

=lE(ft(l/) -1M 2 + \ (Pt(a) -1/m) £ (p t (y) -l/m) + ± J> t (a) - 

yeSt y eSt 
= \st + ^{p t (a)-l/m)\ 

since X^eSt (Pt(y) — l/m) = 0- Combining this with (7) gives 



y&St 



E 



Pt+i(f(a)) - l/m 



st 



s t Ai + m 2 
W + ~^N~ {Pt{a) ~ 1/m) 



Note that 



E 



(s t+1 \s t )= E ( Pt+i( b ) ~ 1 / m 



beSt+i 



St 



Y,v([p t+1 (f(a))-l/m 



aeSt 

Evaluating each term in the sum using (8) gives 

mst At + m 



st 



E(s t +i I s t ) 



AN 



+ 



AN 



(pt(o) - v^r 



mst (4£ + m)s t 



47V 
£ + iV 

2N 



AN 



-st, 



(7) 



(8) 



where the last line holds because m + i = N. It follows that E(sj+i | sj) = (^^jff^jst, which 
verifies (6) and hence (5). This completes the proof. 
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CCA-security. Observe that if E = SN[r, A, +] for some abelian group G = ([A], +) then E 1 
is also SN[r, A, +]. Employing Lemma 1 we conclude our main theorem. 



4 Complexity-Theoretic Interpretation 

While Theorem 4 is information-theoretic, it should be clear that the result applies to the complexity- 
theoretic setting too, in exactly the same manner as Luby-Rackoff [14] and its successors. Namely, 
from a PRF F : K. x {0, 1}* — > {0, 1} and a number n, define n-bit round functions F^X) whose 
jth bit is F((i,j,n,X)). Also define n-bit round keys Ki whose jth bit is F((i,j,n}). Using these 
components, apply the swap-or-not construction for, say, r = 7n rounds, yielding a PRP E on n 
bits. Translating the information-theoretic result into this setting, the PRP-security of E is the 
PRF-security of F minus a term that remains negligible until q = (1 — e)2 n adversarial queries, 
for any e > 0. That is, from the asymptotic point of view, the swap-or-not construction preserves 
essentially all of a PRF's security in the constructed PRP. 

We emphasize that our security results only cover the (strong) PRP notion of security. An inter- 
esting question we leave open is whether the swap-or-not cipher is indifferentiable from a random 
permutation [16]. Following Coron, Patarin, and Seurin [6], Holenstein, Kiinzler, and Tessaro show 
that the 14-round Feistel construction is indifferentiable from a random permutation [12]. But their 
proof is complex and delivers very poor concrete-security bounds. It would be desirable to have a 
construction supporting a simpler proof with better bounds. 

5 Format-Preserving Encryption 

In the format-preserving encryption (FPE) problem, one wants to encipher on an arbitrary set X, 
often X = [A] for some number N. Usually constructions are sought that start from a conventional 
blockcipher, like AES. The problem has attracted increasing interest [1-5, 8, 9, 17, 24, 25, 27], and is 
the subject of ongoing standardization work by NIST and the IEEE. 

When A is sufficiently small that one can afford I?(A)-time to encrypt, provably good solutions 
are easy, by directly realizing a random shuffle [3] . And when A is sufficiently large that no adversary 
could ask anything near A 1 / 2 queries, nice solutions are again easy, using standard cryptographic 
constructions like multi-round Feistel. But for intermediate-size domains, like those with 2 30 -2 60 
points, the bounds associated to well-known construction are disappointing, even if known attacks 
are not remotely feasible, and spending time proportional to the domain size, even in key-setup 
phase, is not attractive. 

With these problematic-size domains in mind, suppose we use swap-or-not to encipher 9-digit 
social security numbers (A ~ 2 30 ). Employing Theorem 4, if we use 340 rounds we are guaranteed a 
maximal CCA advantage of less than 10 -10 even if the adversary can ask q = 10 8 queries. Similarly, 
suppose we use swap-or-not to encipher 16-digit credit cards (A «2 53 ). If we use 500 rounds we are 
guaranteed a maximal CCA advantage of less than 10~ 10 even if the adversary can ask q = 10 15 
queries. (Of course these numbers assume random round functions; if one bases the construction on 
AES, say, one will have to add in a term for its insecurity.) The round counts are obviously high, yet 
the rounds are fast and the guarantees are strong. (We note too that, at least for the binary-string 



Theorem 4. Let E = SN[2r, A, +]. Then Advf a (g) < 
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setting and AES as a starting point, there are tricks to reduce the number of blockcipher calls by a 
factor of five, as shown in prior work [17]. But this is probably not helpful in the presence of good 
AES support, as with recent Intel processors.) 

A very different approach to small-domain FPE is taken by Granboulan and Pornin [9], who 
show how to realize a particular shuffle on N cards in Ofig 3 N) encryption time and O(lgiV) 
space. But the method seems to be impractical, requiring extended-precision arithmetic to sample 
from a hypergeometric distribution. Stefanov and Shi go on to show how to exploit preprocessing 
to realize a different iV-card shuffle [24]. Their method is applicable when the key-setup cost of 
0(N) is feasible, as is key storage and per-message encryption cost of O^N 1 / 2 ). Near or beyond 
N ~ 2 30 , these assumptions seem unlikely to hold in most settings. That said, the approach allows an 
adversary to query all N points, whereas the shuffle of this paper has only been proven to withstand 
(1 — e)N queries. (We conjecture that swap-or-not works well for N queries and reasonable r — that 
its mixing time is fast — but no such result is proven here.) 

6 Confusion/Diffusion Ciphers 

Swap-or-not can also be construed as an approach 
for making a confusion/diffusion blockcipher. In 
doing this one would instantiate round functions 
Fi : {0, l} n — > {0, 1} by a fast, concrete construc- 
tion. Perhaps the simplest plausible instantiation is 
have Fi be specified by an n-bit string Lj, letting 
Fi(X) = LiQ X = Li[\]X[\]@ • • • © Li[n]X[n] be 
the inner-product of Li and X. This concrete real- 
ization of swap-or-not is shown in Fig. 5. (We com- 
ment that for this instantiation it is necessary to use 
"max" instead of "min" in selecting a canonical one 
of {X, X'}; otherwise, we'd have X = n always encrypting to ra .) 

We do not know how many rounds to suggest such that the construction of Fig. 5 should be a 
good blockcipher. It is incorrect to think that the theoretical analysis suggests a value like r = 6n; 
for one thing, there is an enormous gap between computing a random round function Fi(X) and an 
inner product Li X. We leave it as a problem for cryptanalysts to investigate how large r needs 
to be, to ascertain if inner product with Lj is actually a good choice for Fj, and to understand what 
other choices might work well. 
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